b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nCONTROLS FOR ENSURING THE REMOVAL OF\n     SENSITIVE DATA FROM EXCESSED\n         COMPUTER EQUIPMENT\n\n     November 2010   A-14-10-11003\n\n\n\n\nAUDIT REPORT\n\x0c                                                      Mis s io n\nBy c o n d u c tin g in d e p e n d e n t a n d o b je c tive a u d its , e va lu a tio n s a n d in ve s tig a tio n s ,\nwe in s p ire p u b lic c o nfid e n c e in th e in te g rity a n d s e c u rity o f S S A\xe2\x80\x99s p ro g ra m s a n d\no p e ra tio n s a n d p ro te c t th e m a g a ins t fra u d, wa s te a n d a b us e . We p ro vid e tim e ly,\nu s e fu l a n d re lia b le info rm a tio n a n d a d vic e to Ad m in is tra tio n o ffic ia ls , Co n g re s s\na n d th e p u b lic .\n\n                                                    Au th o rity\nTh e In s p e c to r Ge n e ra l Ac t c re a te d in d e p e n d e n t a u d it a n d in ve s tig a tive u n its ,\nc a lle d th e Offic e o f Ins p e c to r Ge n e ra l (OIG). Th e m is s io n o f th e OIG, a s s p e lle d\no u t in th e Ac t, is to :\n\n   \xef\x81\xad Co n d u c t a n d s u p e rvis e in d e pe n d e n t a n d o b je c tive a u d its a n d\n     in ve s tig a tio n s re la ting to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad P ro m o te e c o n o m y, e ffe c tive n e s s , a n d e ffic ie n c y with in th e a ge nc y.\n   \xef\x81\xad P re ve n t a n d d e te c t fra u d , wa s te , a n d a b u s e in a ge n c y p ro g ra m s a n d\n     o p e ra tio n s .\n   \xef\x81\xad Re vie w a n d m a ke re c o m m e n d a tio n s re ga rd in g e xis tin g a n d p rop o s e d\n     le g is la tio n a n d re g u la tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad Ke e p th e a ge n c y h e a d a n d th e Co n g re s s fu lly a n d c u rre n tly in fo rm e d o f\n     p ro b le m s in a g e n c y p ro g ra m s a n d o pe ra tio n s .\n\n   To e n s u re o b je c tivity, th e IG Ac t e m p owe rs th e IG with :\n\n   \xef\x81\xad In d e p e n d e n c e to d e te rm in e wha t re vie ws to p e rfo rm .\n   \xef\x81\xad Ac c e s s to a ll in fo rm a tio n n e c e s s a ry fo r th e re vie ws .\n   \xef\x81\xad Au th o rity to p u b lis h fin d in g s a n d re c o m m e n d a tio n s b a s e d o n th e re vie ws .\n\n                                                       Vis io n\nWe s trive fo r c o n tin u a l im p ro ve m e n t in S S A\xe2\x80\x99s p ro g ra m s , o p e ra tio n s a n d\nm a n a g e m e n t b y p ro a c tive ly s e e kin g n e w wa ys to p re ve n t a n d d e te r fra u d , wa s te\na n d a b u s e . We c o m m it to in te g rity a n d e xc e lle n c e b y s u p p o rtin g a n e n viro n m e n t\nth a t p ro vid e s a va lu a b le p u b lic s e rvic e while e nc o u ra g in g e m p lo ye e d e ve lo p m e n t\na n d re te n tio n a n d fo s te rin g d ive rs ity a n d in n o va tio n .\n\x0c                                              SOCIAL SECURITY\nMEMORANDUM\n\nDate:      November 10, 2010                                                                   Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   The Social Security Administration\xe2\x80\x99s Controls for Ensuring the Removal of Sensitive\n           Data from Excessed Computer Equipment (A-14-10-11003)\n\n\n           OBJECTIVE\n           Our objective was to determine whether the Social Security Administration (SSA)\n           implemented Recommendation 5 from our December 2002 report, Physical Security for\n           the Social Security Administration's Laptop Computers, Cellular Telephones, and\n           Pagers (A-14-02-32061), 1 and followed its policies and procedures for the disposal2 of\n           workstations and servers. 3\n\n           BACKGROUND\n           SSA donates excess IT equipment 4 when possible. The Agency may also sell or\n           destroy the equipment. SSA policy 5 requires that IT media be sanitized or destroyed\n           before its disposal. At Headquarters, IT equipment disposal is centrally performed. At\n\n           1\n             We recommended SSA improve its security procedures for disposing of excess laptops. This should\n           include a risk assessment to determine the appropriate level of cleaning of the excess laptops. The\n           Agency should also designate an employee from each component to be responsible for certifying and\n           erasing all information from the excess laptops according to SSA's disposal procedures for Headquarters.\n           The laptops should be tested, on a sample basis, to verify that all programs and data are effectively\n           erased prior to donation.\n           2\n            SSA policy indicates that disposal methods for personal property include certain donations, sale,\n           abandonment, and destruction, among others. Administrative Instructions Manual System (AIMS)\n           Materiel Resources Manual (MRM) Section 04.29.03. SSA policy also indicates that prior to releasing to\n           vendors, disposing, or donating information technology (IT) media, the media must be sanitized or\n           destroyed in a manner that prevents unauthorized disclosure of sensitive information. SSA, Information\n           System Security Handbook (ISSH), Section 10.3.1.\n           3\n               A server is a computer that provides services used by other computers.\n           4\n            Excess IT equipment is equipment retired by SSA for various reasons, such as equipment refreshment\n           and replacing equipment that stopped functioning.\n           5\n               ISSH, Section 10.3.1.\n\x0cPage 2 - The Commissioner\n\n\nall other SSA locations, each office disposes its own IT equipment. See Appendix C for\na description of these processes.\n\nIn our December 2002 report, we identified two laptops that were not properly sanitized 6\nbefore disposal. In fact, our forensic investigators were able to restore personally\nidentifiable information (PII) 7 from these laptops. 8 As a result, we recommended SSA\nimprove its security procedures for disposing of excess laptops, including testing\nlaptops, on a sample basis, to verify that all programs and data are effectively erased\nbefore their donation.\n\nThe Privacy Act of 1974 requires that each Federal agency establish safeguards to\nensure the security and confidentiality of the records it maintains.9 Furthermore, the\nOffice of Management and Budget (OMB) has issued several memorandums10 to stress\nthe importance of the protection of PII maintained by the Government. Federal\nagencies are required to apply National Institute of Standards and Technology (NIST)\nguidance to sanitize information system media before disposal, 11 and the General\nServices Administration\xe2\x80\x99s Federal Management Regulation (FMR) requires that Federal\nagencies implement policies and procedures for removing sensitive or classified\ninformation from property before disposal. 12\n\n\n6\n Sanitization refers to the process of removing data from storage media, such that there is reasonable\nassurance the data may not be easily retrieved and reconstructed.\n7\n  PII refers to information that can be used to distinguish or trace an individual's identity, such as their\nname, Social Security number, biometric records, etc. alone or when combined with other personal or\nidentifying information, which is linked or linkable to a specific individual, such as date and place of birth,\nmother\xe2\x80\x99s maiden name, etc.\n8\n We found 5,308 Social Security numbers, wage information, and names on the hard drives of the\n2 laptops.\n9\n  Pub. L. No. 93-579 \xc2\xa7 552a(e)(10), 5 U.S.C. \xc2\xa7 552a(e)(10). This section of the Privacy Act also requires\nthat such safeguards protect against any anticipated threats or hazards to the security and integrity of\nsuch records, which could result in substantial harm, embarrassment, inconvenience, or unfairness to any\nindividual on whom information is maintained.\n10\n  OMB Memorandums M-06-15, Safeguarding Personally Identifiable Information, May 22, 2006;\nM-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for\nSecurity in Agency Information Technology Investments, July 12, 2006; and M-07-16, Safeguarding\nAgainst and Responding to the Breach of Personally Identifiable Information, May 22, 2007.\n11\n   The Federal Information Security Management Act of 2002 (FISMA) requires compliance with\ninformation security standards promulgated under \xc2\xa7 11331 of Title 40, which includes standards\npromulgated by NIST. Pub. L. No. 107-347, Title III, Section 301 \xc2\xa7 3544(a)(1)(B)(i), 44 U.S.C. \xc2\xa7\n3544(a)(1)(B)(i). NIST recommends organizations sanitize information system media prior to disposal,\nrelease out of organizational control, or release for reuse. NIST Special Publication (SP) 800-53,\nRevision 3, Recommended Security Controls for Federal Information Systems and Organizations,\nAppendix F, Security Control Catalog, Page F-74, MP-6, Media Sanitization, August 2009\n12\n     FMR, Subchapter B \xc2\xa7102-35.30(c).\n\x0cPage 3 - The Commissioner\n\n\nThe scope of our 2002 review was limited to testing excess laptops13 at Headquarters.\nIn our current review, we tested workstations, laptops, and servers that were sanitized\nand awaiting disposal at SSA\xe2\x80\x99s Headquarters and Philadelphia Region. In total, we\ntested 274 hard drives. 14 Based on the results identified in the following section, we\nperformed additional testing in some of SSA\xe2\x80\x99s regions. See \xe2\x80\x9cOther Matters\xe2\x80\x9d section of\nthis report. For additional Background and Scope and Methodology, see Appendices B\nand C, respectively.\n\nRESULTS OF REVIEW\nWe found the Agency had partially implemented Recommendation 5 from our 2002\nreport to improve its security procedures for disposing of excess laptops. We also\nfound that SSA generally complied with its IT equipment disposal policies and\nprocedures. However, there are opportunities to enhance the Agency\xe2\x80\x99s IT equipment\ndisposal policies and procedures. Our review identified the following issues.\n\n\xe2\x80\xa2     SSA partially implemented our prior recommendation and should revise its IT media\n      disposal policies and process.\n\xe2\x80\xa2     IT media awaiting disposal contained PII.\n\xe2\x80\xa2     IT media from equipment awaiting disposal was missing.\n\nSSA PARTIALLY IMPLEMENTED OUR PRIOR RECOMMENDATION AND SHOULD\nREVISE ITS IT MEDIA DISPOSAL POLICIES AND PROCESS\n\nIn our 2002 report, we recommended SSA improve its security procedures for disposing\nof excess laptops. This should include\n\n1. assessing risk to determine the appropriate level of cleaning of the excess laptops;\n2. designating an employee from each component to be responsible for certifying and\n   erasing all information from the excess laptops according to SSA's disposal\n   procedures for Headquarters; and\n3. testing laptops, on a sample basis, to verify that all programs and data are effectively\n   erased before their donation.\n\nSince our 2002 review, SSA has established an agencywide security policy in its ISSH\nrequiring that before disposal, the IT media must be sanitized or destroyed in such a\nway that prevents unauthorized disclosure of sensitive information. 15 The policy also\n13\n     See Footnote 4.\n14\n  The hard disk drive is the main, and usually largest, data storage device in a computer. The operating\nsystem, software titles, and most other files are stored on the hard disk drive.\n15\n   ISSH, Chapter 10, Disposal of Information Technology Media Policy, Section 10.3.1, Disposal/Donation\nof Information Technology Equipment.\n\x0cPage 4 - The Commissioner\n\n\nrequires specific sanitization and destruction methods to be applied in a manner that\nmakes all data unrecoverable. 16 Therefore, a risk assessment, as required by our\nprevious recommendation, is not needed to determine the appropriate level of cleaning\nof the excess laptops.\n\nSSA\xe2\x80\x99s policy does not require that each component designate an employee to certify\nthat excess equipment is properly sanitized. According to NIST, organizations should\nensure that property management officials are included in documenting the media\nsanitization process to establish proper accountability of equipment and inventory\ncontrol. 17 At Headquarters, designated personnel oversee the performance of\nsanitization contracts, which require sanitization documentation. In the regions,\nhowever, this documentation is not required.\n\nSSA policy for Headquarters and its regions also does not require that workstations,\nlaptops, or servers be tested, on a sample basis, to verify that all programs and data are\neffectively erased prior to donation. NIST guidance states that verifying the selected\ninformation sanitization and disposal process is an essential step in maintaining\nconfidentiality. 18 A representative sampling of media should be tested for proper\nsanitization to assure the organization that proper protection is maintained. 19 Based on\nthe above discussion, we concluded that SSA partially implemented our prior\nrecommendation.\n\nMoreover, SSA\xe2\x80\x99s policy 20 on \xe2\x80\x9cDisposal of Personal Property\xe2\x80\x9d does not reference the\nISSH IT media disposal policy. The AIMS instruction had not been updated since 1996.\nAs a result, Agency staff may not have been aware of proper sanitization procedures for\nIT equipment before disposal.\n\n\n\n\n16\n  To sanitize IT media, one of the following methods must be used: 1) approved overwrite utilities;\n2) degaussing; or 3) physical destruction of the media. The overwrite utility must completely overwrite the\nmedia with repetitive characters, making the data unrecoverable. Degaussing must be performed with a\ncertified tool designed for the media being degaussed. Certification of the tool is required to ensure the\nmagnetic flux applied to the media is strong enough to render the information irretrievable. Examples of\nphysical destruction include shredding, pulverizing, and burning. ISSH,supra.\n17\n     NIST SP 800-88, Guidelines for Media Sanitization, Section 4.8, September 2006.\n18\n     NIST SP 800-88, supra at Section 4.7.\n19\n     Id.\n20\n     SSA, AIMS, MRM \xc2\xa7 04.29.\n\x0cPage 5 - The Commissioner\n\n\nAlthough SSA had an IT media disposal policy 21 and process, the following\nenhancements are needed.\n\n1. Designate one or more employees within each region to certify and erase all\n   information from IT media.\n2. Require that workstations, laptops, and servers be tested, on a sample basis, to\n   verify that all programs and data are effectively erased before disposal.\n3. Identify and resolve the gaps between SSA\xe2\x80\x99s IT media sanitization policy located in\n   the ISSH and its procedures located in AIMS.\n\nIT EQUIPMENT SANITIZATION AND DISPOSAL PROCESS\n\nWe tested 274 hard drives of excess IT equipment identified by Agency staff as\nsanitized and awaiting disposal to determine whether they were, in fact, properly\nsanitized. At Headquarters, we selected 45 hard drives from workstations for testing; no\nlaptops or servers were available during our audit period. We also selected 229 hard\ndrives from workstations, laptops, and servers at 5 sites in the Philadelphia Region. 22\nAs shown in Tables 1 and 2 below, we found:\n\n\xe2\x80\xa2      5 of 253 workstation hard drives (2 percent) were not properly sanitized. SSA staff\n       stated that SSA\xe2\x80\x99s contractor sanitized the five workstation hard drives; however,\n       four of the five contained PII.\n\n\xe2\x80\xa2      Hard drives were missing from 39 workstations and 2 laptops. SSA could not\n       provide documentation that the hard drives were properly disposed of.\n\n              Table 1: OIG Hard Drive Test Results by Type of Equipment\n\n                        Number of Hard Drives Tested by Type of Equipment\n\n                 Type of Equipment     Workstations     Laptops    Servers      Total\n\n                    Total Tested           253             2          19         274\n\n                   Not Sanitized             5             0           0          5\n\n                   Contained PII             4             0           0          4\n\n                Hard Drives Missing         39             2           0         41\n\n\n21\n     See Footnote 15.\n22\n  Philadelphia Hearing Office; Philadelphia Regional Office; Richmond Downtown Field Office, Camp\nSprings Field Office, and Postal Plaza Field Office.\n\x0cPage 6 - The Commissioner\n\n\n\n                               Table 2: OIG Hard Drive Test Results by Site\n\n                                Number of Hard Drives Tested by Site\n\n                Test Sites           HQ   Site 1   Site 2   Site 3   Site 4   Site 5   Total\n\n          Sanitization Performed\n                                      0     7       66        6       47       33      159\n               by SSA Staff\n          Sanitization Performed\n                                     45    13        0       57        0        0      115\n             by a Contractor\n               Total Tested          45    20       66       63       47       33      274\n               Not Sanitized          0     4        0        1        0        0       5\n\n               Contained PII          0     3        0        1        0        0       4\n\n           Hard Drives Missing        5     0       34        0        2        0       41\n\n\nWe also found incidents where the Agency released IT equipment that was not properly\nsanitized. In May 2009, a private citizen called the police after the words \xe2\x80\x9cSocial\nSecurity\xe2\x80\x9d appeared when accessing hard drives purchased over the Internet. In\nMarch 2010, Office of the Inspector General (OIG) investigators found SSA laptops\npurchased at a General Services Administration auction had not been sanitized. While\nthe numbers of hard drives containing PII may be relatively small, the above examples\nreflect the potential risk of negative publicity as well as the risk of disclosing PII.\n\nIT Media Awaiting Disposal Contained PII\n\nWe found four of the five unsanitized workstation hard drives contained PII. Our initial\ntesting of server hard drives indicated that some of the hard drives contained data.\nHowever, further testing was required to determine the data content of the server hard\ndrives. We performed the additional testing and determined the server hard drives were\nsuccessfully sanitized of all PII and contained no significant data.\n\nFederal agencies are required to apply NIST guidance to sanitize information system\nmedia before disposal. 23 However, SSA\xe2\x80\x99s policy and process had some weaknesses.\nAs previously stated, SSA policy does not require testing a sample of sanitized media to\nverify all data and programs are erased before disposal, nor does it require an\nemployee be designated to certify excess equipment as properly sanitized. A single\nhard drive can contain a significant amount of PII; therefore, SSA was at risk of a\nsignificant PII breach.\n\n\n\n23\n     See Footnote 11.\n\x0cPage 7 - The Commissioner\n\n\nDuring our site visits, we found the following control issue that may also be a\ncontributing factor to why hard drives had not been properly sanitized. At our site visits,\nwe observed that some equipment identified as sanitized was not physically marked as\nsanitized. This was evident at locations where hard drives were found not to be\nsanitized. For example, we found workstations marked with Post-It Notes. However,\nthe notes did not stick well, and many had fallen on the floor around the area where the\nworkstations were stored. Therefore, some equipment that had not been sanitized\ncould easily have been mixed up with equipment that had been sanitized. We\nrecommend SSA use a better mechanism to mark IT equipment as sanitized or\nunsanitized. A better system to identify sanitized equipment will help ensure\nunsanitized equipment does not leave SSA.\n\nAs a result of our testing and findings, the Agency issued a memorandum to all SSA\nRegional Commissioners outlining procedures for excessing workstations.24 The\nmemorandum instructed offices to confirm the sanitization of workstations when\nperformed by a contractor and mark sanitized workstations with a sticker or marker. We\ncommend the Agency for its prompt attention to this matter; however, additional controls\nare necessary to prevent a breach of PII.\n\nSSA should implement an agencywide policy to verify and document the sanitization of\nIT equipment. The policy should require marking all sanitized equipment and\ndocumenting the serial number of the IT media, if removed from the equipment.\nFurthermore, the policy should require that the sanitization method, date and type of\ndisposal, and the recipient of the equipment be documented. Finally, the policy should\nrequire a representative sampling of IT media be tested for sanitization.\n\nIT Media from Equipment Awaiting Disposal Was Missing\n\nWe found that hard drives from some equipment awaiting disposal could not be\naccounted for. NIST guidance states it is critical that an organization maintain a record\nof its sanitization to document what media were sanitized, when, how they were\nsanitized, and the final disposition of the media. 25\n\nWe found the Agency does not track the serial numbers of hard drives. As shown in\nTable 2 above, 41 pieces of tested equipment (5 at Headquarters and 36 in the\nPhiladelphia Region) did not contain hard drives. Agency staff stated that hard drives\nwere removed for destruction when they could not be sanitized. In addition to these\n41 missing hard drives, the Office of Publications and Logistics Management\xe2\x80\x99s Center\nfor Office Property management stated that servers received from Headquarters\n\n\n\n24\n  SSA Memorandum, Disk Wiping Procedures for Excessing Workstations \xe2\x80\x93 INFORMATION,\nFebruary 24, 2010.\n25\n     NIST SP 800-88, Guidelines for Media Sanitization, Section 4.8, September 2006.\n\x0cPage 8 - The Commissioner\n\n\ncomponents for disposal generally do not contain hard drives. Since the Agency did not\ntrack the serial numbers of hard drives, there was no documentation to confirm the\nremoved hard drives\xe2\x80\x99 disposition.\n\nIn our 2009 report on SSA\xe2\x80\x99s compliance with FISMA, 26 we indicated that SSA needed to\ncomply with OMB Memorandum M-06-19 and ensure proper handling of security\nincidents from the time of detection to final resolution. SSA management stated it\nstrives to comply with OMB timeframes;27 however, the Agency conducts additional\nresearch to confirm a PII incident actually occurred. The circumstances surrounding the\n41 missing hard drives make it virtually impossible for SSA to confirm that the missing\nhard drives constitute a PII incident because SSA does not know whether the hard\ndrives are within SSA\xe2\x80\x99s control, destroyed, or in the public domain.\n\nThe 41 missing hard drives may contain PII. The Agency stated hard drives are\nremoved for destruction when they cannot be sanitized. SSA, by the very nature of its\nmission, collects, stores, and maintains a vast amount of PII. OMB requires that\nagencies report all security incidents involving electronic or physical PII to the U.S.\nComputer Emergency Readiness Team (US-CERT). 28 OMB guidance indicates that\nagencies should not distinguish between suspected and confirmed breaches of PII. 29\nAccordingly, we believe the Agency should report the 41 missing IT equipment hard\ndrives identified in this report and any future missing IT equipment hard drives to US-\nCERT.\n\nFurther, the five missing hard drives at SSA Headquarters revealed another concern\nregarding SSA\xe2\x80\x99s monitoring of its sanitization contractors. The workstations we\nselected for testing at Headquarters were awaiting donation and should have contained\nhard drives. Although the Agency stated the hard drives were removed for destruction\nand the workstations were erroneously placed on a skid for donation, documentation\nindicated the five hard drives had been successfully sanitized. SSA stated this\ndocumentation was provided by the contractor. 30 Further, the Agency stated it will\nrequire the contractor to correct its documentation. However, if the contractor\xe2\x80\x99s\ndocumentation cannot be relied on, the Agency cannot be assured its hard drives are\nsanitized and destroyed. We recommend SSA monitor sanitization contractors to\nensure tasks are completed properly and correctly documented.\n\n26\n  FISMA Report: Fiscal Year 2009 Evaluation of the Social Security Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (A-14-09-19047), November 2009.\n27\n   OMB Memorandum M-06-19, Reporting Incidents Involving PII and Incorporating the Cost for Security\nin Agency Information Technology Investments, July 12, 2006, requires agencies to report all security\nincidents involving PII within 1 hour of discovering the incident.\n28\n     Id. US-CERT is a Federal incident response center located in the Department of Homeland Security.\n29\n     OMB M-06-19, supra.\n30\n We picked up our sample of hard drives from SSA Headquarters workstations on December 4, 2009.\nWe were told this was the sanitization contractors second day at SSA.\n\x0cPage 9 - The Commissioner\n\n\nOn December 31, 2009, the Agency issued a new Request for Quote (RFQ) 31 to\nprovide sanitization and destruction of hard drives in excessed equipment at\nHeadquarters. In this RFQ, the Agency added the requirement to record the serial\nnumbers from the removed hard drives, if destroyed. We commend the Agency for its\nprompt action; however, the RFQ applies to excessed equipment only at Headquarters.\nTo mitigate the risk of a PII breach, the Agency must ensure all dispositions of IT media\nremoved from equipment are properly tracked.\n\nCONCLUSION AND RECOMMENDATIONS\nOur review found that the Agency partially implemented Recommendation 5 from our\n2002 report. We also found that SSA generally complied with its IT equipment disposal\npolicies and procedures. However, there are opportunities to enhance the Agency\xe2\x80\x99s IT\nequipment disposal policies and procedures and prevent a breach of PII. Therefore,\nSSA should:\n\n1. Evaluate its IT media sanitization policies and procedures to ensure compliance with\n   Federal laws, regulations, guidelines, standards, and best practices. At a minimum,\n   SSA should\n        a. Designate one or more employees within each region who will certify and\n           erase all information from IT media.\n        b. Test a representative sample of sanitized IT media to ensure all data and\n           programs are effectively erased before disposal.\n2. Identify and resolve the gaps between its IT media sanitization policy located in the\n   ISSH and its procedures located in AIMS.\n3. Properly mark excess IT equipment with hard drives as sanitized immediately after\n   sanitization has been performed.\n4. Properly track IT media (i.e., hard drives) through the sanitization and disposal\n   process, and document the:\n        a. serial numbers of hard drives that have been removed from IT equipment\n           such as servers or desktops,\n        b. sanitization method used,\n        c. date and type of disposal, and\n        d. recipient of the equipment.\n5. Properly monitor sanitization contractors to ensure tasks are completed properly and\n   correctly documented.\n6. Report the 41 missing IT equipment hard drives identified in this report and any\n   future undocumented disposal of IT equipment hard drives to US-CERT.\n\n\n31\n  An RFQ is a solicitation document used to obtain price, delivery, and other information from prospective\ncontractors.\n\x0cPage 10 - The Commissioner\n\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nSSA agreed with five of six of our recommendations. The Agency partially agreed with\nRecommendation 4. The Agency indicated it can revise its policies and procedures to\nsecure hard drives that have been removed from desktops until destruction. We agree\nthat these revisions will assist SSA to prevent a PII breach. However, we believe that\ntracking the serial numbers of removed hard drives would further assist the Agency to\nensure that these hard drives have been properly accounted for. SSA\xe2\x80\x99s comments are\nincluded in Appendix D.\n\nOTHER MATTERS\nAfter the conclusion of field work, we tested the Agency\xe2\x80\x99s disposal of excess IT\nequipment in four regions 32 to determine if conditions similar to those noted in this\nreport existed in the regions. In two regions, we again observed that some equipment\nidentified as sanitized was not physically marked as sanitized. We found that all\n20 server hard drives tested were properly sanitized; however, 2 of 291 workstation\nhard drives tested were not properly sanitized. One of the workstation hard drives\ncontained PII. No laptops were available to test at the sites we visited.\n\nBased on these results, we determined there is a similar need to improve controls over\nthe disposal of excessed IT equipment outside of SSA\xe2\x80\x99s Headquarters and Philadelphia\nRegion. To that end, the corrective action taken in response to the above\nrecommendations should be agencywide.\n\n\n\n\n                                                         Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n\n\n\n32\n     We performed testing in SSA\xe2\x80\x99s Atlanta, Chicago, New York, and Seattle Regions.\n\x0c                                      Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 The Social Security Administration\xe2\x80\x99s Media Sanitization Processes\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                Appendix A\n\nAcronyms\nAIMS          Administrative Instructions Manual System\nCOP           Center for Office Property\nFISMA         Federal Information Security Management Act of 2002\nFMR           Federal Management Regulation\nISSH          Information System Security Handbook\nIT            Information Technology\nMRM           Materiel Resources Manual\nNIST          National Institute of Standards and Technology\nOIG           Office of the Inspector General\nOMB           Office of Management and Budget\nOPLM          Office of Publications and Logistics Management\nOTSO          Office of Telecommunications and Systems Operations\nPII           Personally Identifiable Information\nPub. L. No.   Public Law Number\nRFQ           Request for Quote\nSP            Special Publication\nSSA           Social Security Administration\nU.S.C.        United States Code\nUS-CERT       United States Computer Emergency Readiness Team\n\x0c                                                                       Appendix B\n\nScope and Methodology\nTo meet our objective, we:\n\n\xe2\x80\xa2   Researched related internal and external reviews;\n\xe2\x80\xa2   Researched Agency policies and procedures regarding the disposal of personal\n    property, including the\n    o Information Systems Security Handbook, Chapter 10.0, Disposal of Information\n      Technology Media Policy;\n    o Administrative Instructions Manual System (AIMS), Materiel Resources Manual,\n      Chapter 04, Property Management , Instruction Number 29, Disposal of Personal\n      Property; and\n    o AIMS, Materiel Resources Manual, Chapter 04, Property Management,\n      Instruction Number 31, Donation of Computer Equipment for Educational\n      Purposes.\n\xe2\x80\xa2   Reviewed the following criteria:\n    o The Privacy Act of 1974, as amended, 5 U.S.C. 552a;\n    o Office of Management and Budget (OMB) Memorandum M-06-15, Safeguarding\n      Personally Identifiable Information (PII), May 22, 2006;\n    o OMB Memorandum M-07-16, Safeguarding Against and Responding to the\n      Breach of PII, May 22, 2007;\n    o OMB Memorandum M-06-19, Reporting Incidents Involving PII and Incorporating\n      the Cost for Security in Agency Information Technology Investments, July 12,\n      2006;\n    o National Institute of Standards and Technology (NIST) Special Publication (SP)\n      800-53, Rev 3, Recommended Security Controls for Federal Information\n      Systems and Organizations, August 2009;\n    o NIST SP 800-88, Guidelines for Media Sanitization, September 2006; and\n    o General Services Administration\xe2\x80\x99s Federal Management Regulation, Subchapter\n      B \xe2\x80\x93 Personal Property, Part 102-35 \xe2\x80\x93 Disposition of Personal Property.\n\xe2\x80\xa2   Reviewed the contracts and records for contractors involved in the sanitization of\n    Agency equipment;\n\xe2\x80\xa2   Interviewed SSA personnel from the Offices of\n    o Disability Adjudication and Review, Region III;\n    o Operations, Region III;\n\n\n                                          B-1\n\x0c    o Publications and Logistics Management, Office of Property Management, Center\n      for Office Property; and\n    o Systems, Office of Telecommunications and Systems Operations.\n\xe2\x80\xa2   Tested the hard drives of excessed equipment identified as sanitized from\n    Headquarters and the Philadelphia Region to determine whether they were\n    effectively sanitized. We tested the hard drives of equipment at each location in the\n    region within 24 hours of notification.\n\nAt Headquarters, we examined 45 workstations identified as sanitized and awaiting\ndonation. Although the Agency had laptops awaiting disposal at Headquarters, we were\nunable to test their hard drives because the hard drives had not yet been sanitized.\nAlso, no server hard drives were available for testing at Headquarters.\n\nIn the Philadelphia Region, we examined all the excessed IT equipment reported as\nhaving been sanitized at the Philadelphia Regional Office, one hearing office, and three\nfield offices. The hard drives of two pieces of equipment were damaged and\nunreadable. We performed additional testing in four of SSA\xe2\x80\x99s regions.\n\nWe performed our audit at SSA Headquarters and field locations in the Philadelphia\nRegion from January through March 2010. We conducted this performance audit in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\n\n\n\n                                          B-2\n\x0c                                                                     Appendix C\n\nThe Social Security Administration\xe2\x80\x99s Media\nSanitization Processes\nAt Headquarters, excess workstations, laptops, and servers were provided to the Office\nof Publications and Logistics Management\xe2\x80\x99s (OPLM) Center for Office Property (COP).\nAlthough each component was responsible for removing Social Security Administration\n(SSA) records and files from the hard drives of its excessed equipment, 1 OPLM\xe2\x80\x99s COP\noversaw a contractor to sanitize or destroy the hard drives prior to disposal. The\nAgency stated the Contracting Officer Technical Representative for this contract tested\nsome equipment marked by the contractor as sanitized to ensure sanitization was\nperformed. Hard drives that could not be sanitized by OPLM\xe2\x80\x99s COP were taken to the\ncontractor\xe2\x80\x99s facility and destroyed.\n\nFurther, based on discussions with Agency staff, SSA\xe2\x80\x99s components can forward hard\ndrives to the Office of Telecommunications and Systems Operations (OTSO) for\ndestruction. According to OTSO procedures, OTSO sanitizes the hard drives upon\nreceipt, and they are then taken to the contractor\xe2\x80\x99s facility and destroyed.\n\nIn the Philadelphia Region, each office disposed of its own workstations, laptops, and\nservers. Sanitization was generally performed by SSA staff; however, offices had the\noption to have a contractor sanitize old workstations upon installation of replacement\nworkstations. For some sites we visited, SSA staff stated that it tested the sanitized\nmedia before disposal. If hard drives could not be sanitized, they were sent to OTSO\nfor destruction by a contractor.\n\n\n\n\n1\n    SSA AIMS, MRM 04.31.05 A.1.\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                          SOCIAL SECURITY\n\nMEMORANDUM\n\nDate:      October 8, 2010                                                        Refer To:\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      James A. Winn /s/\n           Executive Counselor\n           to the Commissioner\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cThe Social Security Administration\xe2\x80\x99s\n           Controls for Ensuring the Removal of Sensitive Data From Excessed Computer Equipment\xe2\x80\x9d\n           (A-14-10-11003)\xe2\x80\x94INFORMATION\n\n\n           Thank you for the opportunity to review the draft report. Attached is our response to the report\n           recommendations.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Rebecca Tothero, Acting Director, Audit Management and Liaison Staff, at (410) 966-6975.\n\n           Attachment\n\n\n\n\n                                                          D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cTHE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S CONTROLS FOR\nENSURING THE REMOVAL OF SENSITIVE DATA FROM EXCESSED COMPUTER\nEQUIPMENT\xe2\x80\x9d A-14-10-11003\n\nThank you for the opportunity to review the subject draft report. We offer the following\ncomments.\n\nRecommendation 1\n\nEvaluate its information technology (IT) media sanitization policies and procedures to ensure\ncompliance with Federal laws, regulations, guidelines, standards, and best practices. At a\nminimum, SSA should:\n\n       a. Designate one or more employees within each region who will certify and erase all\n          information from IT media.\n\n       b. Test a representative sample of sanitized IT media to ensure all data and programs are\n          effectively erased before disposal.\n\nComment:\n\nWe agree. We have evaluated our IT policies and procedures, and we are preparing a\ncomprehensive update to our Administrative Instructions Manual System (AIMS) guide,\nMateriel Resources Manual (MRM) 04.29, Disposal of Personal Property, in which we will\ndesignate regional employees to assume these roles. As stated in the Information Systems\nSecurity Handbook (ISSH), Appendix B, the Site LAN Coordinator (SLC), and the Local Area\nNetwork (LAN) administrator are working to implement LAN security standards. Our revised\nAIMS MRM 04.29 will designate the SLC to follow the ISSH workstation replacement\nprocedures and erase or wipe clean all hard drives before removal from the worksite, or the SLC\nmust oversee the workstation replacement contractor\xe2\x80\x99s performance. In addition, we will\ndesignate property managers, custodial officers (CO), and alternate custodial officers (ACO) to\ncertify data erased from IT media. Our updated AIMS MRM 04.29 will include instructions to\nthe COs and the ACOs to follow the ISSH procedures and test a representative sample of IT\nmedia based on the volume of excessed equipment to ensure we have erased all data.\n\nIn our headquarters offices, we will continue to monitor contractor performance to sanitize or\ndestroy the hard drives prior to disposal. In June 2010, we conducted the first sample testing of\nthe headquarters contractor and detected no problems or errors. In the future, we will randomly\ntest the contractor\xe2\x80\x99s performance for all services.\n\nRecommendation 2\n\nIdentify and resolve the gaps between its IT media sanitization policy located in the ISSH and its\nprocedures located in AIMS.\n\n\n\n\n                                               D-2\n\x0cComment:\n\nWe agree. We will completely update AIMS MRM 04.29 using current ISSH policies and\nprocedures and applicable security references. We will complete the draft guide and make it\navailable for inter-component review.\n\nRecommendation 3\n\nProperly mark excess IT equipment with hard drives as sanitized immediately after sanitization\nhas been performed.\n\nComment:\n\nWe agree. On March 1, 2010, we awarded the sanitization and destruction services contract to\nTurtle Wings (Data Killers), the headquarters\xe2\x80\x99 contractor. The current contract extends through\nfiscal year 2015 and includes our amended language to mark excess IT equipment.\nWe are developing a standard label for purchase and distribution to all offices. The label will\nshow pertinent information such as \xe2\x80\x9cPass/Fail Sanitized,\xe2\x80\x9d \xe2\x80\x9cDate Sanitized or Attempted,\xe2\x80\x9d \xe2\x80\x9cSSA\nNames/Position Titles or Contractor Names for Erasure and Certification,\xe2\x80\x9d and \xe2\x80\x9cSerial Number\nof Removed Hard Drive(s).\xe2\x80\x9d Our new AIMS update will include these new procedures.\n\nRecommendation 4\n\nProperly track IT media (i.e., hard drives) through the sanitization and disposal process, and\ndocument the:\n\n       a. Serial numbers of hard drives that have been removed from IT equipment such as\n          servers or desktops;\n\n       b.   Sanitization method used;\n\n       c. Date and type of disposal; and\n\n       d. Recipient of the equipment.\n\nComment:\n\nWe partially agree. While working with the OIG we readily agreed to amend the language in the\nheadquarters\xe2\x80\x99 blanket purchase agreement sanitizing contract for hard drives marked for\ndestruction. The contractor now includes all information listed in this recommendation in its\nreport to our Office of Publications and Logistics Management.\n\nHowever, after closer examination of the fifth recommendation in this report and the\nrequirements to implement this process agency-wide we now offer other options. We fully\nconcur with this recommendation for servers that contain multiple hard drives. The vendor\nprovides the hard drive serial numbers associated with each server upon initial acquisition of the\n\n\n\n                                                D-3\n\x0cequipment. System\xe2\x80\x99s Change, Asset, and Problem Reporting System (CAPRS) tracks the serial\nnumbers of the hard drives in servers, and the information is available from the time of purchase\nto removal of the hard drives. Desktops present a big challenge. Neither CAPRS nor Sunflower\n(our property accountability system) includes the hard drive serial number associated with each\ncentral processing unit (CPU) desktop. The serial number is unknown, and to obtain the\ninformation would prove to be very labor-intensive for our property managers while adding little\nvalue to the risk of losing personally identifiable information (PII). While awaiting destruction,\nthe real concern is unauthorized access to these hard drives once removed from the CPU. We\ncan implement the recommendation by revising current policies and procedures in the AIMS\nguide that require SLCs, property managers, and contractors to remove the hard drives and place\nthem in a secure location with restricted access while awaiting destruction and to destroy laptops\nand Blackberries if they fail the disk wipe procedures.\n\nRecommendation 5\n\nProperly monitor sanitization contractors to ensure tasks are completed properly and correctly\ndocumented.\n\nComment:\n\nWe agree. We amended the March 2010 contract for headquarters and in April 2010 worked\nwith the contractor on our requirements. The contractor performed acceptable services during a\nvisit in June 2010. As needed, we will contact the contractor for future headquarters sanitization\nand destruction services. For the regional offices, we will add these requirements to our revised\nAIMS guide that will apply to our employees and contractors.\n\nWhile some contracts include provisions for the vendor to perform IT media sanitization, it is the\nresponsibility of each of our offices to monitor the vendor properly. When the vendor sanitizes\nIT media during warranty repair, the vendor is required to maintain a secure chain of custody and\nprovide a monthly report accounting for any recovered IT media.\n\nRecommendation 6\n\nReport the 41 missing IT equipment hard drives identified in this report and any future\nundocumented disposal of IT equipment hard drives to the United States Computer Emergency\nReadiness Team (US-CERT).\n\nComment:\n\nWe agree. We will follow the PII loss procedures in ISSH and will tell our National Network\nService Center to relay the information to the US-CERT. We will add these current procedures\nto our revised AIMS procedures.\n\n\n[SSA also provided a technical comment that has been addressed, where\nappropriate, in the report.]\n\n\n\n                                               D-4\n\x0c                                                                     Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Director, Information Technology Audit Division\n\n   Grace Chi, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Michael Zimmerman, Auditor\n\nFor additional copies of this report, please visit our Website at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-10-11003.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"